From 5bf83f81f4f4474b15bcc7e0ea6525a2fbfaaba4 Mon Sep 17 00:00:00 2001 From: Jacques Vidrine Date: Fri, 3 May 2002 15:21:36 +0000 Subject: [PATCH] Patch a heap overflow. See and . Obtained from: Heimdal repository --- security/heimdal/Makefile | 2 +- .../heimdal/files/patch-appl::ftp::ftp::ftp.c | 65 +++++++++++++++++++ 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 security/heimdal/files/patch-appl::ftp::ftp::ftp.c diff --git a/security/heimdal/Makefile b/security/heimdal/Makefile index 4d3bc60076bb..b6bc88aadcf4 100644 --- a/security/heimdal/Makefile +++ b/security/heimdal/Makefile @@ -7,7 +7,7 @@ PORTNAME= heimdal PORTVERSION= 0.4e -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.pdc.kth.se/pub/heimdal/src/ \ ftp://ftp.replay.com/pub/replay/crypto/APPS/kerberos/heimdal/ \ diff --git a/security/heimdal/files/patch-appl::ftp::ftp::ftp.c b/security/heimdal/files/patch-appl::ftp::ftp::ftp.c new file mode 100644 index 000000000000..0cee1bd61e8f --- /dev/null +++ b/security/heimdal/files/patch-appl::ftp::ftp::ftp.c @@ -0,0 +1,65 @@ +Index: appl/ftp/ftp/ftp.c +=================================================================== +RCS file: /home/kth-krb/appl/ftp/ftp/ftp.c,v +retrieving revision 1.70 +retrieving revision 1.71 +diff -u -r1.70 -r1.71 +--- appl/ftp/ftp/ftp.c 2001/09/07 20:28:10 1.70 ++++ appl/ftp/ftp/ftp.c 2002/04/24 21:55:07 1.71 + struct sockaddr *hisctladdr = (struct sockaddr *)&hisctladdr_ss; +@@ -312,7 +312,8 @@ + char *lead_string; + int c; + struct sigaction sa, osa; +- char buf[1024]; ++ char buf[8192]; ++ int long_warn = 0; + + sigemptyset (&sa.sa_mask); + sa.sa_flags = 0; +@@ -368,7 +369,7 @@ + if (verbose > 0 || (verbose > -1 && code > 499)) + fprintf (stdout, "%s%s\n", lead_string, buf); + if (buf[3] == ' ') { +- strcpy (reply_string, buf); ++ strlcpy (reply_string, buf, sizeof(reply_string)); + if (code >= 200) + cpend = 0; + sigaction (SIGINT, &osa, NULL); +@@ -381,17 +382,12 @@ + osa.sa_handler (SIGINT); + #endif + if (code == 227 || code == 229) { +- char *p, *q; ++ char *p; + +- pasv[0] = 0; + p = strchr (reply_string, '('); + if (p) { + p++; +- q = strchr(p, ')'); +- if(q){ +- memcpy (pasv, p, q - p); +- pasv[q - p] = 0; +- } ++ strlcpy(pasv, p, sizeof(pasv)); + } + } + return code / 100; +@@ -404,9 +400,15 @@ + } + } + p = buf; ++ long_warn = 0; + continue; + default: +- *p++ = c; ++ if(p < buf + sizeof(buf) - 1) ++ *p++ = c; ++ else if(long_warn == 0) { ++ fprintf(stderr, "WARNING: incredibly long line received\n"); ++ long_warn = 1; ++ } + } + } +